In this article author has explained some of the common attacks against DNS and discusses how to avoid them.
One of the most potent attacks malicious actors can use against the hapless internet user is the deployment of malware or other means to subvert the Domain Naming System (DNS). Increasingly malware authors are looking at ways to gain control of systems more subtly than in the past, and attacking DNS is one powerful way to do this.
Explaining the Attack
DNS is the backbone of the internet. It provides mapping of hostnames to IP addresses, which makes the friendly names (e.g. http://www.k7computing.com) possible, rather than having to remember the long string of numbers that make up an IP address (the actual address of the system on the internet). You can think of it as if DNS is the telephone directory for the Internet. However, the convenience of having easy to remember names for internet addresses means that there is also potential for attackers to exploit the fact that we don’t have to know about the underlying address.
When you type a name (URL) into your browser, your computer will hold the details of one or more DNS servers, and it will send a query to DNS to resolve that name to the IP address; the DNS server replies with the address (if it knows about it, if not, it will in turn query other DNS servers until it finds an answer) then your computer directly connects to that IP. So, this makes it very important that the information returned by the DNS server is accurate. Imagine that you want to connect to http://abankingwebsite.com , and the real address is 172.16.30.22 (this is an example, 172.16 is an internal IP range), but instead, a misconfigured server returned an address of 192.168.30.22 (again an example), your browser would happily connect to the 192.168 address returned and load whatever page it found there. If it was an attacker’s site, made to look like the real banking website, you may never know the difference, and inadvertently provide your financial details to the attacker. Therefore if an attacker can somehow insert his own IP address into the reply to your DNS query, he effectively controls the site your computer will connect to. You can see that because of this, compromise of DNS services is a highly prized target for attackers, and is the source of some very damaging attacks.
Types of Attacks
One common attack is the ‘man in the middle’ attack. In one form of this attack, an attacker uses a malware to infect a victim PC, and changes its DNS settings to point to the attacker’s system. This effectively places the attacker system between the victim any site the victim is trying to connect to, and proxies all the information through the attacker system, the attacker’s server will respond to all queries of the victim host with whatever IP addresses suits the attacker. This is a popular attack in Identity theft or to steal financial information. The advantage to the attacker is that the victim doesn’t have to be aware that the information is passing through a second system and transparently forwarding all the information to the real site, which might for instance be the victim’s bank. Say the attacker wants to gain access to the bank details of the host; he may craft a special web-page that looks exactly like the bank website, and when the victim tries to connect to the bank website, the attacker instead sends them to the compromised site where he can collect the details entered. A sophisticated attacker may even pass these details through to the ‘real’ website form, and the user will not realize anything has gone wrong. A recent Trojan called “DNSFlusher” did exactly this sort of thing, when it infects a victim computer, it sets up a DHCP server on that PC, (this serves IP address information to other hosts on the network), and then starts to serve DHCP requests to other machines as they join the network. As part of the DHCP reply, it sends out new DNS server information to the machines, and also sets the victim machine as an Internet default gateway. This means that other machines will use the victim machine’s internet connection to connect to sites as well as using the attacker’s DNS servers for name resolution. The DNS servers are compromised by the attacker, and used to serve up false IP addresses for any sites the attacker wishes. Sometimes this is to drive traffic to sites so that the attacker will make money from click-through revenue, but also it can be to deliver new malware, or perform any number of other malicious activities.
Unfortunately, it is not always necessary to be infected with malware to fall victim to a DNS attack. This means that a totally clean system can be misdirected to malicious sites if the DNS server, the victim is using, itself is compromised. There have been several papers written about, and vulnerabilities exposed that allow, man in the middle attacks using DNS poisoning/spoofing and similar techniques, one fairly comprehensive one is published by SANS http://www.sans.org/reading_room/whitepapers/dns/1567.php
There have been many documented cases where DNS servers were attacked, and in addition to man-in-the-middle attacks, other common attacks this can lead to are Denial of Service (DoS), and Cache Poisoning attacks.
DNS Denial of Service (DoS) attacks work because hosts rely on name resolution to gain the correct IP address for a system, therefore if all the DNS query packets return directions to an invalid or non-existent IP address, then the host will be essentially ‘blind’ to the rest of the world, this sort of attack is localised to those machines using the compromised DNS server but can none the less be very damaging to the victims, imagine if your business couldn’t connect to the Internet for a day. Denial of Service can also work by causing overload of the network or a DNS server by directing thousands of queries to a single server, say by directing many malware compromised machines as part of a botnet to send DNS queries to the same server - the effect would be to deny network access to multiple hosts whose own queries wouldn’t be able to get through. A major vulnerability discovered in the DNS system in 1999 left systems vulnerable to exactly this sort of attack.
A third type of attack uses an exploit with a specially crafted packet that might be able to gain the attacker control over a DNS server, leaving them opportunity to cause further compromise of systems by redirecting queries to that server. DNS servers are very powerful in terms of the information they contain, and gaining control over one can give an attacker control over any hosts that connect to it. Cisco recently described a vulnerability in which an attacker could craft a specially constructed DNS packet that could compromise or to cause a remote host to crash, resulting in a Denial of Service attack. (http://www.cisco.com/warp/public/707/cisco-sn-20050524-dns.shtml)
Recently, security researcher Dan Kaminsky revealed one of the most serious vulnerabilities in DNS to date. Exploiting this vulnerability would allow an attacker to poison the cache of a DNS server in such a way as to be able to arbitrarily redirect clients to a host of his own choosing. This vulnerability was widespread in many DNS implementations, and anyone running a DNS server should ensure that it is patched as soon as possible. A good description of the problem is given on the unixwiz website http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html. Although there is now a patch available for this and other known problems with DNS services, there is no doubt that attackers are still on the lookout for new ways to damage this precious internet resource.
Combating Ugly Threats
So what can be done about it? Well, in the case of the DNSFlusher malware attack; or any other attack that tries to change local DNS settings on a machine; one way to avoid it within a corporate network is to use dedicated DNS servers within the company, and only allow those servers to contact the internet over the DNS server port. DNS usually runs on port 53, therefore it’s a good idea to restrict your systems from using that port externally unless they are your DNS servers, most firewalls are easily configured to achieve this. Doing this means that if your DNS settings change on the local machines, rather than simply going out to the compromised server, the name resolution would break, indicating very quickly that you have a problem.
If you are running DNS servers, you should make sure that they are kept properly patched with the latest updates, and if possible make sure they are ‘auth only’ servers, that is that they are not providing recursive lookup for other domains, this will avoid your servers being compromised by cache-poisoning attacks.
You should also pay attention to SSL Digital Certificates. If you connect to a malicious site, even if it serves you a certificate to make it look like it’s legitimate, checking the certificate will usually reveal the discrepancy. Unfortunately, many legitimate businesses have old, incorrect or otherwise invalid certificates on their own sites, so this is not a foolproof method.
If you’re not using your own DNS servers, then using a service like OpenDNS (http://www.opendns.com/) is a good idea. Set the DNS parameters manually and only allow port 53 connections to those servers. This should ensure that you get ‘good’ DNS replies, although there’s not always much you can do if OpenDNS come up against a Denial of Service attack.
Finally, you should also ensure you’re running a regularly updated Anti-malware product on your computers, as well as patching the operating system with updates regularly (this holds true for all operating systems – Mac’s and Linux systems have malware problems too, not only Windows). Following these guidelines will help reduce your exposure to malicious threats, and having an understanding of services such as DNS is important in ensuring you have a trouble free life on the internet.
—By: Andrew Lee,
CTO K7 Computing Limited. |
